Hi Gunnar,
We're indeed also working on Client Certificate authentication (we have tested it, and now it's pending a security review).
However, to make use of this, a user must:
- Generate an X.509 certificate
- Extract the certificate as text and create a key-cert object from it
- Associate the key-cert with a maintainer in an auth: attribute
- Configure the Whois client to send the client certificate when connecting to the REST API (or Syncupdates).
This is not trivial to do, and we can see that although signed updates are supported in Whois, it has low usage.
It is still worthwhile to support this, as the credential (secret) is only stored locally on the client.
Hopefully API keys will be more "user friendly" and can be used in preference to MD5 hashed passwords.
Regards
Ed Shryane
RIPE NCC
> On 18 Mar 2020, at 09:45, Gunnar Gušvaršarson <gunnar.gudvardarson@advania.is> wrote:
>
> Hey,I think that if we get x509 client certificate authentication for the API working, it might even be easier.
> All the UI to add certs and auth them on mntners is already there, the web services just need endpoints that request and use client provided certs.
>
https://github.com/RIPE-NCC/whois/issues/534